by Mike Masnick

Filed Under:
cyberwar, incompetence, stuxnet


Are We Talking About 'Cyberwar' Or Massive Incompetence?

from the perhaps-more-the-latter... dept

Rich Kulawiec points us to the news of Dillon Beresford of NSS Labs recently discovering (and revealing) that the Siemens control systems targeted by Stuxnet have massive security holes, including a hardcoded username/password combo ("basisk" for both, in case you were wondering). As Kulawiec noted:
We have been treated, over the past few years, to an increasing chorus of hysteria and hype about "cyberwar". Some of that has come from governments eager to justify their increasing invasion of citizen privacy. Some of that has come from government contractors, eager to score more $100M do-nothing contracts. And since Stuxnet has come to light, it's been held up repeatedly as an example of the extreme cleverness of attackers.

But while Stuxnet is pretty darn clever, that's not the real problem. The real problem is that the incompetent morons at Siemens allowed this piece of crap to get out the door and into production environments. Thus the storyline isn't so much about the devious and subtle craft of Stuxnet's creators, as it is about the jaw-dropping negligence of Siemens: how could their QA miss this? How could they allow such a rudimentary, obvious mistake to pass?

We don't need to spend billions (or trillions) on elaborate cyberwar initiatives. We need to stop making fundamental mistakes. We need to stop doing the stupid things that we KNOW are stupid.
But that kind of stuff isn't quite as sexy as declaring "cyberwar" and asking for billions of dollars from the government.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 11 Aug 2011 @ 4:29pm

    I could have sworn it was 12345 .... the same combo I use for my luggage

    reply to this | link to this | view in thread ]

  2. identicon
    Nicedoggy, 11 Aug 2011 @ 4:38pm

    That is probably not a "mistake" but a feature.

    Or some engineer backdoor into the system. You know like the chip designers like to put little easter eggs on microchips like a hot pepper etched into some corner of the chip.

    The less eyeballs something has the more chances such things can happen.

    reply to this | link to this | view in thread ]

  3. identicon
    TheStupidOne, 11 Aug 2011 @ 4:42pm

    I'll help em out

    I'm a guy with no computer security experience or training. But it looks like I'd do a better job than whomever Siemens hired. My hardcoded password and username combinations are different words, with uppercase and lowercase letters, a number or two, and at least one special character.

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 11 Aug 2011 @ 4:44pm

    Re: I'll help em out

    You sound like a special character

    reply to this | link to this | view in thread ]

  5. icon
    pahosler (profile), 11 Aug 2011 @ 5:36pm

    Re: I'll help em out

    sorry this scheme is actually pretty weak, here's why...


    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Correct Horse Battery Staple, 11 Aug 2011 @ 5:47pm


    Now I have to change my passphrase again!

    M1st@k3n D0nkEy 0u+l3+ Pr0n

    reply to this | link to this | view in thread ]

  7. identicon
    Casey Bouch, 11 Aug 2011 @ 6:02pm

    Re: Re: I'll help em out

    All their saying here is a longer password is more secure, even when compared to a short password with more special characters

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 11 Aug 2011 @ 6:10pm

    Yes. Siemen made a "mistake." Yep. Let's just run with that. It's so much easier to palate than the alternative.

    reply to this | link to this | view in thread ]

  9. icon
    RussK (profile), 11 Aug 2011 @ 6:22pm

    Working in Automation

    I work in the Automation business and its not quite so simple. Until the last few years most automation systems worked as "islands of automation" not connected to anything except the equipment up and down stream of the machine and that often was hardwired with no network at all.

    Management demanded that all this equipment talk so that they could monitor the plant while they are in their front offices or at corporate HQ. That drove network connectivity big time. Too much demand while not much effort put into the security as it really wasn't needed until recent days. With no funding to speak of (security doesn't get any more product out the door) this was a obvious result.

    Stuxnet was an eye opener but not unexpected by us in the trenches. It is the management who controls budgets and until this event no one at my pay level had any attention of management.

    reply to this | link to this | view in thread ]

  10. icon
    That Anonymous Coward (profile), 11 Aug 2011 @ 6:37pm

    Cyberwar solutions

    Don't connect hyper critical things to the internet

    Don't give them easily accessible usb ports

    Don't make the button that screws the whole thing up large and red with a sign that says for gods sake don't press

    Don't put it next to the coffee maker in the breakroom

    Don't spend billions for a magic bullet that does not exist

    The people screaming the loudest your in danger are the ones looking to get paid to develop a super system that will never actually work

    The best defense is a good offense, hire grey hat hackers to hack the sites of people offering you services. No meetings with anyone they manage to penetrate.

    reply to this | link to this | view in thread ]

  11. identicon
    Joe Smith, 11 Aug 2011 @ 6:41pm

    Auto execution

    In 1973 I was introduced to computer programming. One month later a friend showed me the malicious opportunities inherent in auto-execution and yet we have the Web forty years later with auto execution (Java for example) rampant.

    reply to this | link to this | view in thread ]

  12. identicon
    Anonymous Coward, 11 Aug 2011 @ 8:06pm


    The Iranian nuclear plant was NOT connected to the internet. It was still owned by stuxnet.

    Your cyberwar solutions are flawed.

    The only real cyberwar solution is to pull an Osama/Flynn; get off the grid completely. Live in a cave without electronics.

    reply to this | link to this | view in thread ]

  13. identicon
    Anonymous Coward, 11 Aug 2011 @ 8:09pm

    Re: Re: I'll help em out

    I don't get it

    reply to this | link to this | view in thread ]

  14. identicon
    Anonymous Coward, 11 Aug 2011 @ 8:10pm

    Re: Re: Re: I'll help em out

    Doesn't that just mean that in the end it all depends on how they encrypt the passwords you submit?

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, 11 Aug 2011 @ 8:12pm

    Re: Re: I'll help em out

    That would be very useful, if only most websites didn't have a limit to 16 character passwords

    reply to this | link to this | view in thread ]

  16. identicon
    Anonymous Coward, 11 Aug 2011 @ 8:14pm

    Re: Re:

    And ironically, thats how they got him. They found it was suspicious because he wasn't connected

    reply to this | link to this | view in thread ]

  17. identicon
    Anonymous Coward, 11 Aug 2011 @ 8:15pm

    Re: Re:

    The reason it still got to the plant, was because they infected the main Russian engineer working on the project's USB memory drive. Currently the most common way to get infected by malware is by USB drive.

    reply to this | link to this | view in thread ]

  18. icon
    Overcast (profile), 11 Aug 2011 @ 8:38pm

    People trust computers too much. Simple as that. They are great tools, but we bank on them too much anymore..

    reply to this | link to this | view in thread ]

  19. identicon
    Anonymous Coward, 11 Aug 2011 @ 8:58pm

    Re: I'll help em out

    Well, trust me security in information technology is a whole lot more complicated than to some ignorant fool hard coding a user name and password; that is just down right stupid. Before I moved into the security field I was a programmer for 10 years and that is a newbie / ignorant fool's mistake. I the programmer is too lazy to type in the user name and password when needed he need to go find another job, like picking up trash or something.

    reply to this | link to this | view in thread ]

  20. icon
    G Thompson (profile), 11 Aug 2011 @ 9:56pm

    Re: Re: I'll help em out

    Which always reminds me of this


    and if any AC/troll thinks this is a dig at them... complex much? it is

    reply to this | link to this | view in thread ]

  21. icon
    Jeffrey Nonken (profile), 11 Aug 2011 @ 11:22pm

    Re: Re: Re:

    Disable autorun on USB drives.

    We had an annoying virus running around at work for the longest time, that was spread via flash drives. Every time we'd disinfect a machine it was infected again within a few days. I tried to get my boss to cough up a bit of cash to buy everybody Flash drives with a write-disable switch but he just said nobody would use the feature.

    So I found a registry hack that turned off the XP autorun and went around to every machine I could find, disabled it, and cleaned off the virus if required (usually). And cleaned off every memory stick I could beat out of people. Win7 wasn't an issue because it doesn't operate by the rusty nail principle (injects you with every rusty nail it encounters just in case the nail has the cure for cancer).

    Haven't seen the damned thing in more than a year.

    While it's mildly inconvenient to have to open a browser by hand any time I insert a Flash drive, it's less annoying than having my settings changed and having to yet again track down and eradicate a stupid keylogger that's for a game we don't have anyway.

    reply to this | link to this | view in thread ]

  22. icon
    That Anonymous Coward (profile), 11 Aug 2011 @ 11:45pm

    Re: Re:

    And my solutions are better than anything they want billions of dollars committed to. Because someone else pointed out a flaw in my idea, and it can be fixed with out having to pay another 5 billion in overruns.

    And stuxnet would not have made it to the system if someone hadn't connected something insecure to what should have been a secure machine on a secure network.

    reply to this | link to this | view in thread ]

  23. icon
    bratwurzt (profile), 12 Aug 2011 @ 12:28am

    Re: Auto execution

    Haha, is there a single java virus out there? :) There's not a lot of auto-execution with java (except if automatically clicking OK to every security question is called auto-execution).

    reply to this | link to this | view in thread ]

  24. icon
    Any Mouse (profile), 12 Aug 2011 @ 1:45am

    Re: Re: Re: I'll help em out

    No, they're saying a group of short words is more secure than a single word using numbers and upper and lower case letters. There is a slight distinction, since I can come up with rather long words that would still be less secure.

    reply to this | link to this | view in thread ]

  25. icon
    Richard (profile), 12 Aug 2011 @ 1:56am

    Re: Re: I'll help em out

    Nah - he just thought that the password requirement was not really necessary because no unauthorised person would ever get physical access to the system. That may well have been true at the time the code was written and so what he did was probably sensible - as a way to stop the password system causing hasssle.

    The fault lies with the managers who changed the requirements and re-used the code without a proper review.

    reply to this | link to this | view in thread ]

  26. icon
    Richard (profile), 12 Aug 2011 @ 2:00am

    Re: Re: Re: Re: I'll help em out

    The recommendation from people like Schneier is to use a long passphrase (taking just the initial letters of the words). A few more characters adds as much security as using numbers and special characters - and is easier to remember.

    reply to this | link to this | view in thread ]

  27. icon
    Richard (profile), 12 Aug 2011 @ 2:08am

    Re: Re: Re:

    and the virus problems we had would be a lot smaller if peole hadn't saddled our systems with features designed to enable copy protection/DRM schemes (hidden files, boot sectors, autorun etc).

    reply to this | link to this | view in thread ]

  28. identicon
    Anonymous Coward, 12 Aug 2011 @ 3:45am

    Re: Working in Automation

    I too work in Automation, and can say that some of the attacks being discussed (packet captures and rebroadcasts specifically) are likely to require different hardware entirely which takes time to develop, test, and release to market. Then, once it is released...guess what? People have to replace what is running their plant (shutdown). No one wants to shutdown their production anymore whether for software or hardware reasons. SO, good luck.

    I would also say, that if you have someone on your network able to sniff your network...you already lost.

    I would also guess that Siemens is not the only Automation vendor that is vulnerable to these types of attacks.

    reply to this | link to this | view in thread ]

  29. icon
    Josef Anvil (profile), 12 Aug 2011 @ 5:32am


    But a billion dollars IS sexy

    reply to this | link to this | view in thread ]

  30. identicon
    Rob, 12 Aug 2011 @ 5:44am

    Re: I'll help em out

    Boy...it's a good thing you aren't in security. A simple vs. highly complex HARD CODED password makes no difference. The problem isn't the password's complexity. The problem is the fact that it's hard coded. This means anyone can analyze the programs, determine the password and then use it to guarantee access to every installation with that same authorization information. On top of that, short of updating the programs (think microcode on hardware controllers which, given the LOB StuxNet attacked, may or may not even be possible without replacing a chip), there isn't anything an organization can do to prevent the access short of turning off the equipment!

    reply to this | link to this | view in thread ]

  31. identicon
    Rich Kulawiec, 12 Aug 2011 @ 5:50am

    Re: Re: Re: Re:

    That's a good solution for the immediate problem, but it leaves unanswered a much larger question, to wit:

    Why are you running an OS that can be infected by viruses?

    One of the worst things that Microsoft has done for IT is to train newcomers that this circumstance is normal -- that is, that it's a reasonable thing for an OS to be extremely vulnerable to viruses, so much so that extra software (cue greedy AV vendors) is required to even have a slight chance of defending it.

    But it's not normal. It's an aberration. Quality operating systems are nearly impervious to viruses, and those are the systems that should be used.

    (What do I mean by "nearly impervious"? Try OpenBSD. No, really, try it. Try writing a virus that can successfully penetrate the system. Good luck with that.)

    I don't use AV software because I don't need to, and I don't need to because I don't allow broken operating systems in my environment. And THAT is single biggest step that just about every organization could take toward better security.

    But they won't. They're either too dim-witted to get past years of conditioning by Microsoft/AV vendors, or they're too stubborn, or they're too cheap, or they're too we've-always-done-it-this-way, or they're too unwilling to admit their error, or they're unwilling to learn, or whatever. They will resist and resist and resist...and meanwhile, their organizations will be hacked at will, whenever a bored teenager or two feels like it. (See: Anon, LulzSec, etc.) They will use the usual excuse ("Blame It On China") but really, why should the Chinese trouble themselves when any script kiddie can pwn their entire infrastructure?

    reply to this | link to this | view in thread ]

  32. identicon
    Dave, 12 Aug 2011 @ 6:01am

    Why not (sarcasm follows)?

    Why not declare cyberwar and ask for $billions from Congress. Congress is used to pissing $billions away on something that catches headlines. "Cyberwar" is easy to pronounce, remember and headline. And the $100k do-nothing contracts - he's not kidding, they exist - I've personally worked with people who not only do practically nothing, but have no skills if they did somehow get motivated.

    Sarcasm off - the USG needs to focus on using what we have to the max vice buying new shit. Focus on quality control, quality hiring and active management - vice foolishly trying to emulate "Best Business Practices" because it sounds professional. And Siemens just got away with selling a ball of schleck to the idiots who'd buy it - so remember that they're incompetent and stop buying their gear ... wait, Washington's BIG on name recognition, so that'll never work! (okay, sarcasm came back).

    reply to this | link to this | view in thread ]

  33. identicon
    Uncle Paul, 12 Aug 2011 @ 6:37am

    It's about the person acting on the Vulnerability

    What the author of the techdirt piece fails to connect isn't that businesses have long overlooked cyber security in their risk analysis, but a cyber war is going on and simply capitalizes on the path of least resistance. APT exists, it's real, and there are multiple state actors that fit into this profile. The latest is Operation Shady RAT http://blogs.govinfosecurity.com/posts.php?postID=1020. But also this year was the RSA hack by APT which then pivoted to L-3 Communications and Lockheed Martin http://www.wired.com/threatlevel/2011/05/l-3/.

    There are 4 basic external cyber threat models (aside from disgruntled employees).

    1. State actors
    2. Organized Crime
    3. Social or political driven groups (LulzSec)
    4. Opportunist

    NIST actually has a special publication (SP 800-82) for PLC and other types of industrial control systems.


    But, as others here have noted, businesses and even goverments aren't willing to shut down production lines to address cyber security. To make make matters worse in the case of industrial control systems that operate 24x7 with shift changes and control rooms, the use of more fixed passwords or certificates need to exist so other areas of defense need to be added to compensate. Also part of the problem is software and hardware manf never considered industrial systems as targets so never built in security and are very often painfully slow at rolling out security patches to OSs (both Linux and Windows based). People don't want to patch a system until it's been approved by the vendor. Nor is it easy to simply replace whole systems with new vendors.

    Take a moment to read about the Smart Grid hacks: http://gigaom.com/cleantech/hacking-the-smart-grid/

    Or the newer power meters on your house: http://www.nctimes.com/business/article_244ff4dc-7f2b-5a8b-96d2-dc14c17681bf.html

    reply to this | link to this | view in thread ]

  34. icon
    DannyB (profile), 12 Aug 2011 @ 6:49am


    More likely it's not that the morons at Siemens are stupid, but rather just lazy.

    Managers give programmers very little time to do things right. They just want it done quick. If the first implementation works, then ship it. Security? We'll fix that in version 2.0. After we fix a bunch of other issues that customers actually care about.

    reply to this | link to this | view in thread ]

  35. identicon
    Anonymous Coward, 12 Aug 2011 @ 8:44am

    Re: Re: Re: Re: Re:

    Control Systems were moved off of *nix based Operating Systems several years ago because "*nix is too hard", and "our IT department wants it to be Windows so they can manage the computers."

    Make up our mind, security or ease of use. They really are mutually exclusive.

    i.e. No USB may be more secure, but it is a royal pain when needing to move data back and forth for support purposes, or for general archiving of data.

    i.e. Air gap is more secure (possibly), but it makes it hard for a distributed company to monitor remote installations.
    Also, management cannot have the pretty reports without a network connection of some sort.

    reply to this | link to this | view in thread ]

  36. icon
    techflaws.org (profile), 13 Aug 2011 @ 3:12am

    Re: Re: I'll help em out

    Is your irony detector off?

    reply to this | link to this | view in thread ]

  37. identicon
    Michael Kohne, 14 Aug 2011 @ 12:50pm

    Siemens wasn't lazy, just responding to the market

    And the market didn't want to think about security. In fact, unless I miss my guess, the market probably said 'security? Yea, I want that. Unless it gets in the way of doing stuff.'

    You know, the same reasons Microsoft does what it usually does. Because otherwise people won't buy it!

    reply to this | link to this | view in thread ]

  38. identicon
    Jewell Dziendziel, 22 Aug 2011 @ 10:55am

    IT security

    Thought you might be interested in this article on IT and Oracle EBS security.

    http://www.unitask.com/2011/08/government-agencies-need-oracle-ebs-data-security-now-more-than-e ver/


    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.